CVE-2025-56110

HighPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

26 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0104 77.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of information inputs to the action_deal_update function, directly preventing crafted POST requests from injecting and executing arbitrary OS commands.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of the specific OS command injection flaw in /usr/lib/lua/luci/controller/api/rcmsAPI.lua through vendor patches.

SC-7 Boundary Protection partial match

preventdetect

SC-7 provides boundary protection at network interfaces to monitor and block malicious POST requests exploiting the vulnerable rcmsAPI.lua endpoint.

Security SummaryAI

CVE-2025-56110 is an OS Command Injection vulnerability (CWE-78) in Ruijie RG-BCR and RG-BCR860 devices. The issue exists in the action_deal_update function within the file /usr/lib/lua/luci/controller/api/rcmsAPI.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and significant impacts.

The vulnerability can be exploited by low-privileged attackers (PR:L) over the network with low attack complexity and no user interaction required. By crafting a malicious POST request to the vulnerable endpoint, such attackers can inject and execute arbitrary OS commands, potentially leading to remote code execution with high confidentiality, integrity, and availability impacts on the affected device.

Mitigation details are outlined in the referenced advisories, including vulnerability reports at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md and supporting documents at https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef. Security practitioners should consult these for patch availability and workaround guidance specific to Ruijie RG-BCR series devices.

Details

CWE(s): CWE-78

Affected Products

ruijie

rg-bcr860 firmware

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection via crafted POST to web API on network device enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10
Product, Broken Link · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef
Third Party Advisory, Broken Link · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md
Exploit, Third Party Advisory · cve@mitre.org